What is the business model?


An additional problem, from my standpoint, is that EV certs are only available to registered businesses. As a developer / pro bono service supplier who is not a business (and doesn’t want to go that route again) I’ve no way to get a ‘green bar’ much as I’d like to. Though I’m happy to prove who I am that isn’t permitted by the current offerings.

Whether there is an alternative option though is something for the (far?) future to decide upon.


Boulder / Let’s Encrypt supports CAA from day 1.


My guess is that somehow they are going to get some kind of mined data or marketing out of the deal. There is little to suggest that losing business is good for their business.


What kind of data are they going to mine? Let’s Encrypt doesn’t necessarily collect any valuable information from users.

I could see ubiquitous HTTPS increasing EV certificate sales.


[quote=“mholt, post:24, topic:310, full:true”]
What kind of data are they going to mine? Let’s Encrypt doesn’t necessarily collect any valuable information from users.[/quote]

In this day and age all information is valuable.

I am not presuming that LE collects or shares data purposefully.

I do not know if it occurs or not but while IdenTrust is still the primary signer perhaps some traffic would hit their servers when customers hit the LE sites and view certs (at least they will see the name here if they dig a bit I understand) or when administrators set up LE signed servers. This is the sort of traffic that I suppose would give IdenTrust their moneys worth of market share data to justify the co-signing during the early days that LE is not registered everywhere by default. While it may not be much market data it would be a source that no other commercial CA is privy to.

I expect this will happen too but it does not increase IdenTrusts market share proportion, just the total market volume, however if users and administrators are happy with LE they may never go to IdenTrust or other CAs unless the LE service is in some ways inadequate (see thread on expiry periods). I expect that a lot of administrators will inevitably consider IdenTrust first if they are looking for a paid certificate and this may be the only benefit they need.


Again not able to offer any ideas on commercial or cryptographic value to the following types of leak but this is the sort of data that IdenTrust may be able to receive and get some marketing benefits from it.


I highly doubt they are planning on mining OCSP, considering that they’ve asked us to implement OCSP stapling right from the get-go in our server implementation: https://github.com/mholt/caddy/issues/280#issue-112282397 - if they wanted to see which sites you are visiting they wouldn’t want stapling in servers.


As I said previously note that IdenTrust does not offer EV certificates: